I'm working on getting an IPSec VPN working between Amazon EC2 and my on-premise. The goal is to be able to safely administer stuff, up/download data, etc. over that tunnel.

I have gotten the tunnel up in openswan between a Fedora 12 instance with an elastic IP and a Cisco router that's also NATted. I think the ipsec part is OK, but I'm having trouble figuring out how to route traffic that way; there's no "ipsec0" virutal interface because on Amazon you have to use netkey and not KLIPS for the vpn. I hear iptables may be required and I'm an iptables noob.

On the left (Amazon), I have a 10. network.
Box 1 is privately 10.254.110.A, publically IP 184.73.168.B.
Netkey tunnel is up.
Box 2 is publically 130.164.26.C, privately 130.164.0.D

May I suggest you have a look at vCider? It allows you to create secure, virtual networks even across provider boundaries (in case you want to expand beyond EC2). You can create your own provider-independent VPC. It also offers you to 'cloak' your cloud network: Basically, you can make your cloud nodes disappear from the public network, but you can specify exceptions for individual nodes. It offers specific features to connect your enterprise network to the cloud portion of the network.

Disclaimer: I work for vCider. But please don't let this stop you from having a look at it. You can create virtual private networks for up to 8 hosts for free.